Bug 678091 - SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
Summary: SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 678092
TreeView+ depends on / blocked
 
Reported: 2011-02-16 17:20 UTC by Stephen Gallagher
Modified: 2017-02-06 14:35 UTC (History)
4 users (show)

Fixed In Version: sssd-1.5.1-6.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 678092 (view as bug list)
Environment:
Last Closed: 2011-05-19 11:39:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0560 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-05-19 11:38:17 UTC

Description Stephen Gallagher 2011-02-16 17:20:16 UTC 
Description of problem:
SSSD shipped in 6.0 with the expectation that HBAC rules would be stored in the cn=account subtree of FreeIPAv2. However, the final version of the schema stores them in cn=hbac instead. So right now, there are no rules accepted (which means denial of all)

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA v2 server with one or more HBAC rules
2. Point an SSSD client at this server, with access_provider=ipa
  
Actual results:
User is always denied

Expected results:
Denial/permission should be based on the access control rules

Additional info:
Comment 4 Jenny Severance 2011-03-01 15:57:45 UTC 
Verified

server
ipa-server-2.0.0-13.el6.x86_64

client:
ipa-client-2.0.0-13.el6.x86_64
sssd-1.5.1-10.el6.x86_64

[root@ipaqavmh ~]# ipa hbacrule-show testdenyssh
  Rule name: testdenyssh
  Rule type: deny
  Source host category: all
  Description: test deny
  Enabled: TRUE
  Users: mmouse
  Hosts: ipaqavmh.rhts.eng.bos.redhat.com
  Services: sshd


Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=hp-dl180g6-01.rhts.eng.bos.redhat.com user=mmouse
Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:account): Access denied for
user mmouse: 6 (Permission denied
Comment 5 errata-xmlrpc 2011-05-19 11:39:47 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 6 errata-xmlrpc 2011-05-19 13:09:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Note You need to log in before you can comment on or make changes to this bug.